261
edits
VPN: Difference between revisions
Jump to navigation
Jump to search
Added Persistent SSH Tunnels
m (Mediawiki) |
(Added Persistent SSH Tunnels) |
||
| Line 202: | Line 202: | ||
== PPTP == | == PPTP == | ||
{{go to top}} | {{go to top}} | ||
== Persistent SSH Tunnels == | |||
{{go to top}} | |||
The following is how to create a persistent SSH Tunnel between two systems. This is handy if you want to secure data flowing across networks, or even setup a tunnel without messing with VPN configuration. | |||
===Create User/Generate SSH key=== | |||
First you will create the user you will use for the tunnel. This will allow you to forward non-privileged ports over 1024. | |||
''Note: This user does not have a password assigned or a shell. This will prevent user logins to the system.'' | |||
<pre> | |||
useradd -m -s /bin/false autossh | |||
</pre> | |||
Now switch to the user and generate an SSH key: | |||
<pre> | |||
su -s /bin/bash useradd | |||
cd ~ | |||
ssh-keygen -b 4096 | |||
</pre> | |||
''Note: Leave password blank'' | |||
Once done, exit back to your normal user shell | |||
<pre> | |||
exit | |||
</pre> | |||
===Copy public key to target system=== | |||
You will need to copy '''''id_rsa.pub''''' file from '''''/home/useradd/.ssh/''''' to the '''''authorized_keys''''' file on the remote system you want to connect to for the tunnel. | |||
''Note: It is recommended that you also create a normal user on the remote system and not use root.'' | |||
===Install autossh=== | |||
You will need to install the autossh program on the system that will initiate the SSH tunnel. Autossh automatically restarts the SSH tunnel when it exits. | |||
<pre> | |||
apt-get install autossh | |||
</pre> | |||
===Setup script=== | |||
Copy the following script, making the necessary changes as specified between the <> and place on the system that will initiate the tunnel (usually /opt): | |||
<pre> | |||
#!/bin/sh | |||
# | |||
# Uses autossh to establish a tunnel to allstarlink.org for the Graylog Collector Sidecar | |||
# on seal to pass data. | |||
su -s /bin/sh autossh -c 'autossh -M 0 -N -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure=yes" -f -T -R localhost:<target port>:<local IP or localhost>:<local port> <user>@<domain>' | |||
</pre> | |||
{| class="wikitable" | |||
! Parameter !! Description | |||
|- | |||
| localhost || localhost or IP address on target system | |||
|- | |||
| <target port> || port on target system | |||
|- | |||
| <local IP or localhost> || localhost or IP address on system initiating tunnel | |||
|- | |||
| <local port> || port on system initiating tunnel | |||
|- | |||
| <user@domain> || username and domain to use when SSHing to target system | |||
|} | |||
An example of this command is: | |||
<pre> | |||
su -s /bin/sh autossh -c 'autossh -M 0 -N -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure=yes" -f -T -R localhost:3306:localhost:3306 joe@blow.com' | |||
</pre> | |||
This would allow the target (remote) system to access the local (system initiating the SSH tunnel) system's MySQL server over the tunnel. | |||
You can also use -L to change the direction of the port forwarding from Remote to Local and have the initiating system forward data over the tunnel the the remote. | |||
===Make script executable=== | |||
Make sure you mark the script as executable with: | |||
<pre> | |||
chmod +x <name_of_script>.sh | |||
</pre> | |||
===Tunnel at startup=== | |||
To have this tunnel automatically start if the system is rebooted, add a call to the script to rc.local. | |||
<pre> | |||
/opt/<name_of_script>.sh | |||
</pre> | |||
''Note: You may have to enable rc.local on Ubuntu and Debian based systems via systemd. Refer to your distributions documentation for information on how to enable it.'' | |||
== GRE Tunnel == | == GRE Tunnel == | ||
| Line 257: | Line 342: | ||
encapsulation l2tpv3 | encapsulation l2tpv3 | ||
ip local interface Loopback0 | ip local interface Loopback0 | ||
ip pmtu | ip pmtu | ||
ip tos value 10 | ip tos value 10 | ||